I'm working on deploying a containerized .NET application that connects to a government login provider. This setup requires using various certificates for secure communication and encryption. We're using Rancher for hosting, but this is our first time dealing with this provider and managing certificates, so we're a bit lost.
I want to avoid baking the certificates directly into the application since we'll have different ones for testing and production, and I definitely don't want to rebuild the app for every cert update. Plus, I'm not sure if we're even allowed to handle the production gov certificates directly.
My first thought was to mount volumes for the certificates, but I'm unsure if that's a common best practice. The final app will go from a repository to a test environment before hitting production. Although this question has a DevOps aspect, I'm looking for clear guidance to start with before diving deeper.
2 Answers
If your app is web-based, you might want to terminate TLS at the load balancer or a reverse proxy. This way, the application itself doesn't have to handle server certificates. For client certificates or mTLS, you can explore using Docker secrets or Kubernetes secrets, which can be mounted like volumes.
Have you considered using Hashicorp Vault? They have excellent resources explaining how to securely store and manage certificates. It could be really helpful for your case.
I get that; I have a couple of certificates too for message encryption. It's critical to manage them properly.